I would be interested how to detect an ongoing DDOS attack - finding out what's going on is of course the prerequisite for any decent countermeasures.
Let's keep it simple and assume that there are only HTTP requests involved, coming from distributed sources. Stupid bots hammering the same URL or coming from the same source IP are easy to spot, we feed the logs to some perl scripts or bash-oneliners involving simple grep/awk patterns to spot them if need be, and then we fight them off with rate limits or hardcoded block rules based on IP, Agent or other criteria.
However, if they hide behind appengine or AWS farms or use other various source addresses, Agent strings and target URLs, then it gets more difficult, especially with IPv6 clients.
So is there any 3rd party tool that can be used to detect unusual usage patterns in realtime (possibly by analyzing the latest log files) Or even some helpful built-in function that I am not aware of?
Hello, there are a number of articles about DDoS on the community, which suggest ways to identify and mitigate DDoS attacks:
Pulse vADC and vWAF can also help to block some types of traffic completely, and if you have any other tools which also identify undesirable traffic, then you can use the APIs to create a new rule which will block or throttle traffic from that type of source.
Pulse Traffic Manager includes real-time activity charts on individual nodes, but you could also use the optional analytics application on Pulse Services Director to look at a complete end-to-end traffic flow, which may also help to explore different types of traffic, and look at historical activity of the same type.
Other integrations are also possible. For example, on internal networks, Pulse vWAF can alert Pulse Policy Secure of suspicious activty from endpoints or IoT devices, and Pulse Policu Secure can isolate the traffic on the network, and enforce single sign out on any device using the same credentials.